CWE Rule 322

Key Exchange without Entity Authentication

Since R2024a

expand all in page

Description

Rule Description

The product performs a key exchange with an actor without verifying the identity of that actor.

Polyspace Implementation

The rule checker checks for TLS/SSL connection method not set.

Examples

expand all

Issue

The issue occurs when you call one of these functions without explicitly setting the connection method of the TLS/SSL context.

  • SSL_read

  • SSL_write

  • SSL_do_handshake

The communication between server and client entities that use a TLS/SSL connection begins with a handshake. During the handshake, the parties exchange information and establish the encryption algorithm and session keys the parties use during the session. The connection methods for the server and client use different routines for the handshake.

The checker raises no defect if:

  • You use SSL_connect (client) and SSL_accept (server) functions. These functions set the correct handshake routines automatically.

  • You pass the SSL context as an argument to the function that calls SSL_new.

  • You declare the SSL context outside the scope of the function handling the connection.

Risk

You cannot begin a handshake if the SSL engine does not know which connection method routines to call.

Fix

  • For client handshake routines, call SSL_set_connect_state before you begin the handshake.

  • For server handshake routines, call SSL_set_accept_state before you begin the handshake.

Example — Server Connection Method Not Set Explicitly
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>

#define fatal_error() exit(-1)

int len;
unsigned char buf;
volatile int rd;

const SSL_METHOD*  set_method()
{
    return SSLv23_server_method();
}

void func()
{
    int ret;
    SSL_CTX* ctx;
    SSL* ssl;
    const SSL_METHOD* method =  set_method();
    ctx = SSL_CTX_new(method);
    ssl = SSL_new(ctx);

    switch (rd) {
    case 1:
        ret = SSL_read(ssl, (void*)buf, len); //Noncompliant
        if (ret <= 0) fatal_error();
        break;
    case 2:
        ret = SSL_do_handshake(ssl); //Noncompliant
        if (ret <= 0) fatal_error();
        break;
    default:
        ret = SSL_write(ssl, (void*)buf, len); //Noncompliant
        if (ret <= 0) fatal_error();
        break;
    }
}

In this example, the SSL context ctx is generated with server connection method SSLv23_server_method. However, the connection method is not set explicitly for the SSL structure ssl before the attempt to read from the connection, initiate a handshake, or write to the connection.

Correction — Set Server Connection Method Explicitly

One possible correction is to call SSL_set_accept_state to set the server role for the SSL structure ssl before you begin the handshake.

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>

#define fatal_error() exit(-1)

int len;
unsigned char buf;
volatile int rd;

const SSL_METHOD*  set_method()
{
    return SSLv23_server_method();
}

void func()
{
    int ret;
    SSL_CTX* ctx;
    SSL* ssl;
    const SSL_METHOD* method =  set_method();
    ctx = SSL_CTX_new(method);
    ssl = SSL_new(ctx);
	SSL_set_accept_state(ssl);
	

    switch (rd) {
    case 1:
        ret = SSL_read(ssl, (void*)buf, len);
        if (ret <= 0) fatal_error();
        break;
    case 2:
        ret = SSL_do_handshake(ssl);
        if (ret <= 0) fatal_error();
        break;
    default:
        ret = SSL_write(ssl, (void*)buf, len);
        if (ret <= 0) fatal_error();
        break;
    }
}

Check Information

Category: Key Management Errors

Version History

Introduced in R2024a

See Also

Topics

External Websites